It’s by a Chinese company, and collects telemetry on its users via Umeng+, which is a Beijing-based analytics company. Even though it’s open source, the code is large enough that it’s hard to tell if there is anythinf compromising in there from the Chinese government, and/or whether/what data collected by Umeng+ is making it to the Chinese government.
Does wonders to find anything, but you need to know what you’re looking for. I’d probably look for DNS names that end in government or China specific TLDs to start with.
I know you’re be facetious here and I’m ignorant to actual application security methodology. I do have to ask though, when you are looking for something in code that could be a security risk, isn’t it possible to look for methods or functions used to lookup DNS, outbound network calls, or even libraries used to obfuscate code? It seems to me that most programmers wouldn’t go through lengths to obfuscate their code and would want it to be readable/maintainable, so doing so would be a red flag.
Obviously no one is going to search for “evil spyware” when auditing code. Your point stands it is not as simple as that.
You’re totally right, I just think you underestimate how long it takes to rigorously audit a whole codebase. Let’s say you look for outvound network calls. Now you need to figure out for all of them whether they are malicious, which will require specific domain knowledge. And that’s assuming you find them all, the network call could be hidden away in a dependency. None of this is impossible but it requires a serious effort.
it’s trivial to break that approach by obfuscating strings. You can do things like using base64 encoded strings in the source code, building strings from smaller component parts, or using rot13 on, say, the host component of a URI. That last one could be pretty interesting if you, as a threat actor, owned both permutations. The hostname (minus TLD) in the source code could be the nice, human readable version (www.happysite.org) that appears to be something legit. Then, when you rot13 it to www.uncclfvgr.org, traffic is sent to the evil site doing scary things. People can be far more tricksy than that. There’s also the whole issue around whether or not the binaries you’re running actually match the code in the repo. The xz kerfuffle showed how much can be hidden that way.
EDIT: I should make it clear that I don’t use Deepin or the DE it provides because I only use WMs with no desktop, so the distro and DE are of no interest to me. I don’t know if it’s a security hazard or not, I have no horse in this fight.
Radware’s head of threat research has commented on concerns about analytics collected by Deepin, and whether these are sent to the Chinese government: while the CNZZ analytics service has been removed, analytics are still collected, now by “Umeng+”.[29] According to cybersecurity lawyer Steven T. Snyder, due to the sheer size of Deepin’s codebase, it is impossible to really scrutinize all the code comprising it to be sure the Chinese government doesn’t have backdoors.[29] The project does remain fully open source allowing anyone to review, modify or change the code to meet their standards.
Idk about worse but it is possible for two things to be bad. If one spies for china and the other spies for america, they’re both effectively the same. There’s other more trustworthy options than either however, so unless someone has a gun to your head forcing you to pick one of the two this whataboutism is a false dichotomy, just pick “something else.”
Ah yes, a dystopian government OS with direct uplink to the thought police is much less of a security risk and convenience loss than a by all objective measures reasonably working and widespread OS with broad compatibility, just because the latter is made by a for profit corporation, MICROSOFT EVUL GUYS AMIRITE
I’m a Linux user myself due to the hostile practices of win11, but get some perspective ffs
Sure…an open source OS is worse than a closed one. Because you are too lazy to check the former, yet trust the latter ignoring all its well documented cases of spying on users…
Maybe you should try to go back to basic logic over idiological tribalism before you question other people’s perspective.
Zero reading comprehension. I am not a windows user myself as I said, and would happily recommend virtually any other Linux distro (aside from the fact that I am at best a novice when it comes to the various differences) over windows.
But not one made by, or at least greenlit by an autocratic regime that actively seeks to gain influence abroad. People shouldn’t use fucking red star OS either.
Wow your propaganda susceptibility is really showing. Guess the american thought police did their job well. Imagine calling windows, a literal spyware masterpiece that sucks up every bit of data it can a " reasonably working and widespread OS with broad compatibility" and an open source piece of software, “a dystopian government OS with a direct uplink to the thought police”. Like honestly what thoughts exactly do you think China is pilicing on western users and how are they acting on them? Meanwhile Microsoft, Samsung, Google, are all actively collecting as much data as possible and not even trying to hide it anymore, despite not being open source.
Tbf windows is both those things, “a reasonably working and widespread literal spyware masterpiece that sucks up every bit of data it can, with broad compatibility.”
Not saying it’s good, but it “works,” it is widespread due to exclusivity contracts with the major manufacturers iirc and people’s reluctance to install anything else, it is compatible with a broad range of softwares and hardwares because if someone makes something it basically has to support windows, and it is great at spying on users.
Also tbf, if I ditched windows because of spying, why would I want to install a spying linux? I don’t want canonical’s bullshit either, if I’m ditching spying for spying I may as well just not and then I can keep using PKhex without going through wine ffs.
Btw china has been caught operating police stations illegally on “western™” soil. So like,
Like honestly what thoughts exactly do you think China is pilicing on western users and how are they acting on them
Why the fuck are there so many people in this thread trying to argue that a Chinese government sanctioned OS is a good choice?? Are you all insane?
My point merely was, and still is, that people shouldn’t recommend CCP bullshit over windows out of some misguided “brand loyalty” to Linux.
Yes, windows is a poor OS made by a for profit corporation, aiming to make money off their users.
Now why the fuck would anyone conclude that instead of those “only” greedy pigs, a government that doesn’t even represent them and most certainly doesn’t have their best interests in mind, should have a native snooping feed built into their daily driver?
Especially when there are more actually free and open linux distros to choose from than there are colors in a rainbow?
TLDR: Windows sucks, I agree, but literally recommending government spyware over it is batshit insane and entirely antithetical to the free and open ideology behind Linux. And all the people responding to me seem to conflate arguing against ccpOS with arguing for windows.
Its just the countries of government changed lol. It’s not like we don’t have evidenced for microsoft leaking user data and allowing fbi to hack windows computers. At least in case of deepin we don’t have evidence
The odds that the US Government, under the authority of Patriot Act, has not inserted spyware into the Windows kernel, I put at an even 50/50.
The US Government has the motive, the leverage (huge customer of Microsoft), and maybe even the legal authority (the Patriot Act overreaches like crazy, and arguably compels certain government officials to gather all available data).
To be clear, I’ve never seen a shred of evidence that there’s any official sanctioned backdoor in Windows. But I can’t honestly claim to be sure it’s not there.
It’s all a bit of a moot point though, as the vast majority of Windows installs export nearly every scrap of data to Office Cloud, and if Office Cloud doesn’t have a government back door, I will eat my hat.
Source: The text of the Patriot Act. It basically outright says “we will put a listener anywhere we can reasonably fit one, on US soil.”
This is ridiculous. If someone could write the code, someone cluld analyze it. If noone has found anything suspicious or incriminating then this just seems like anti china propaganda. “Maybe this Chinese company is collecting data! Even though their code is publically available we cant know for sure!” Meanwhile every US company is sucking up telemetry on every keystroke. Like what a thing to argue about when Microsoft, Samsung, Google, Meta, etc etc exist. And tbh, id rather china have my data then the US anyway. The US is both more likely and more capable of using it against me.
Not just deepin, but really any piece of software made by a Chinese or Chinese owned company should be treated with suspicion. At least, until the inevitable fall of the CCP occurs.
This is insane. US companies blatantly collect data, meanwhile a chinese company releases OPEN SOURCE software that hasnt been shown to do anything malicious and your response is “but maybe they somehow hid some tracking in there”. Bro examine your prejudices.
What gets me is how everyone can spout this shit and not feel any shame. Somehow it’s okay when US companies do it, but even suspecting the Chinese is enough to shun something. I’m disappointed to see all the upvotes this bigotry gets.
First time seeing hate for deepin. What’s wrong with it?
It’s by a Chinese company, and collects telemetry on its users via Umeng+, which is a Beijing-based analytics company. Even though it’s open source, the code is large enough that it’s hard to tell if there is anythinf compromising in there from the Chinese government, and/or whether/what data collected by Umeng+ is making it to the Chinese government.
So I guess the backdoor is buried DeepIn the code
I mean a simple
grep -r “string” *
Does wonders to find anything, but you need to know what you’re looking for. I’d probably look for DNS names that end in government or China specific TLDs to start with.
grep -r "evil spyware" *
nothing? awesome, I guess this software is safe to use. Let’s gooo
I know you’re be facetious here and I’m ignorant to actual application security methodology. I do have to ask though, when you are looking for something in code that could be a security risk, isn’t it possible to look for methods or functions used to lookup DNS, outbound network calls, or even libraries used to obfuscate code? It seems to me that most programmers wouldn’t go through lengths to obfuscate their code and would want it to be readable/maintainable, so doing so would be a red flag.
Obviously no one is going to search for “evil spyware” when auditing code. Your point stands it is not as simple as that.
You’re totally right, I just think you underestimate how long it takes to rigorously audit a whole codebase. Let’s say you look for outvound network calls. Now you need to figure out for all of them whether they are malicious, which will require specific domain knowledge. And that’s assuming you find them all, the network call could be hidden away in a dependency. None of this is impossible but it requires a serious effort.
it’s trivial to break that approach by obfuscating strings. You can do things like using base64 encoded strings in the source code, building strings from smaller component parts, or using rot13 on, say, the host component of a URI. That last one could be pretty interesting if you, as a threat actor, owned both permutations. The hostname (minus TLD) in the source code could be the nice, human readable version (www.happysite.org) that appears to be something legit. Then, when you rot13 it to www.uncclfvgr.org, traffic is sent to the evil site doing scary things. People can be far more tricksy than that. There’s also the whole issue around whether or not the binaries you’re running actually match the code in the repo. The xz kerfuffle showed how much can be hidden that way.
EDIT: I should make it clear that I don’t use Deepin or the DE it provides because I only use WMs with no desktop, so the distro and DE are of no interest to me. I don’t know if it’s a security hazard or not, I have no horse in this fight.
There are so many ways to obfuscate things that your approach won’t work.
Western concerns about connections to Chinese government
Radware’s head of threat research has commented on concerns about analytics collected by Deepin, and whether these are sent to the Chinese government: while the CNZZ analytics service has been removed, analytics are still collected, now by “Umeng+”.[29] According to cybersecurity lawyer Steven T. Snyder, due to the sheer size of Deepin’s codebase, it is impossible to really scrutinize all the code comprising it to be sure the Chinese government doesn’t have backdoors.[29] The project does remain fully open source allowing anyone to review, modify or change the code to meet their standards.
Meanwhile Linux and systemd
Well, Windows is worse by far
Idk about worse but it is possible for two things to be bad. If one spies for china and the other spies for america, they’re both effectively the same. There’s other more trustworthy options than either however, so unless someone has a gun to your head forcing you to pick one of the two this whataboutism is a false dichotomy, just pick “something else.”
Ah yes, a dystopian government OS with direct uplink to the thought police is much less of a security risk and convenience loss than a by all objective measures reasonably working and widespread OS with broad compatibility, just because the latter is made by a for profit corporation, MICROSOFT EVUL GUYS AMIRITE
I’m a Linux user myself due to the hostile practices of win11, but get some perspective ffs
Sure…an open source OS is worse than a closed one. Because you are too lazy to check the former, yet trust the latter ignoring all its well documented cases of spying on users…
Maybe you should try to go back to basic logic over idiological tribalism before you question other people’s perspective.
I’m all for open source, but being open source does not mean that it cannot be, or even that it is unlikely to be malicious
Zero reading comprehension. I am not a windows user myself as I said, and would happily recommend virtually any other Linux distro (aside from the fact that I am at best a novice when it comes to the various differences) over windows.
But not one made by, or at least greenlit by an autocratic regime that actively seeks to gain influence abroad. People shouldn’t use fucking red star OS either.
Wow your propaganda susceptibility is really showing. Guess the american thought police did their job well. Imagine calling windows, a literal spyware masterpiece that sucks up every bit of data it can a " reasonably working and widespread OS with broad compatibility" and an open source piece of software, “a dystopian government OS with a direct uplink to the thought police”. Like honestly what thoughts exactly do you think China is pilicing on western users and how are they acting on them? Meanwhile Microsoft, Samsung, Google, are all actively collecting as much data as possible and not even trying to hide it anymore, despite not being open source.
Tbf windows is both those things, “a reasonably working and widespread literal spyware masterpiece that sucks up every bit of data it can, with broad compatibility.”
Not saying it’s good, but it “works,” it is widespread due to exclusivity contracts with the major manufacturers iirc and people’s reluctance to install anything else, it is compatible with a broad range of softwares and hardwares because if someone makes something it basically has to support windows, and it is great at spying on users.
Also tbf, if I ditched windows because of spying, why would I want to install a spying linux? I don’t want canonical’s bullshit either, if I’m ditching spying for spying I may as well just not and then I can keep using PKhex without going through wine ffs.
Btw china has been caught operating police stations illegally on “western™” soil. So like,
Basically “that.” https://www.newsweek.com/china-overseas-police-service-center-public-security-bureau-safeguard-defenders-transnational-crime-1764531
Why the fuck are there so many people in this thread trying to argue that a Chinese government sanctioned OS is a good choice?? Are you all insane?
My point merely was, and still is, that people shouldn’t recommend CCP bullshit over windows out of some misguided “brand loyalty” to Linux. Yes, windows is a poor OS made by a for profit corporation, aiming to make money off their users.
Now why the fuck would anyone conclude that instead of those “only” greedy pigs, a government that doesn’t even represent them and most certainly doesn’t have their best interests in mind, should have a native snooping feed built into their daily driver?
Especially when there are more actually free and open linux distros to choose from than there are colors in a rainbow?
TLDR: Windows sucks, I agree, but literally recommending government spyware over it is batshit insane and entirely antithetical to the free and open ideology behind Linux. And all the people responding to me seem to conflate arguing against ccpOS with arguing for windows.
So you say Microsoft doesnt “actively seek influence”?? LOL
Are you saying a corporation seeking profit and a hostile nation seeking global hegemony are the same level of evil?
Also, I dont use windows either ffs. Thought that was obvious.
Its just the countries of government changed lol. It’s not like we don’t have evidenced for microsoft leaking user data and allowing fbi to hack windows computers. At least in case of deepin we don’t have evidence
You think Microsoft doesn’t give a direct uplink to America’s thought police?
The odds that the US Government, under the authority of Patriot Act, has not inserted spyware into the Windows kernel, I put at an even 50/50.
The US Government has the motive, the leverage (huge customer of Microsoft), and maybe even the legal authority (the Patriot Act overreaches like crazy, and arguably compels certain government officials to gather all available data).
To be clear, I’ve never seen a shred of evidence that there’s any official sanctioned backdoor in Windows. But I can’t honestly claim to be sure it’s not there.
It’s all a bit of a moot point though, as the vast majority of Windows installs export nearly every scrap of data to Office Cloud, and if Office Cloud doesn’t have a government back door, I will eat my hat.
Source: The text of the Patriot Act. It basically outright says “we will put a listener anywhere we can reasonably fit one, on US soil.”
This is ridiculous. If someone could write the code, someone cluld analyze it. If noone has found anything suspicious or incriminating then this just seems like anti china propaganda. “Maybe this Chinese company is collecting data! Even though their code is publically available we cant know for sure!” Meanwhile every US company is sucking up telemetry on every keystroke. Like what a thing to argue about when Microsoft, Samsung, Google, Meta, etc etc exist. And tbh, id rather china have my data then the US anyway. The US is both more likely and more capable of using it against me.
Not just deepin, but really any piece of software made by a Chinese or Chinese owned company should be treated with suspicion. At least, until the inevitable fall of the CCP occurs.
This is insane. US companies blatantly collect data, meanwhile a chinese company releases OPEN SOURCE software that hasnt been shown to do anything malicious and your response is “but maybe they somehow hid some tracking in there”. Bro examine your prejudices.
What gets me is how everyone can spout this shit and not feel any shame. Somehow it’s okay when US companies do it, but even suspecting the Chinese is enough to shun something. I’m disappointed to see all the upvotes this bigotry gets.